How “Kessler’s Flying Circus” cookie-stuffed its way to $5.2M from eBay

California man pleads guilty to an ingenious fraud.

Between May 2006 and June 2007, Brian Andrew Dunning made $5.2 million—all of it from eBay. Dunning wasn't selling Velvet Elvis posters and antique dinner plates through the auction site, however. He earned the money from affiliate commissions, getting paid whenever he directed people to eBay and they made purchases or won auctions. He was so successful at driving this traffic to eBay that his company, Kessler's Flying Circus, became the number two eBay affiliate in the entire world.

His numbers grew so high and so fast that eBay began asking awkward questions almost immediately. How exactly, eBay wanted to know, was Dunning driving all of this traffic to the site? The company was well aware of the wide variety of tricks that affiliates could use to boost their stats, including one called "cookie stuffing." With cookie stuffing, affiliates would surreptitiously "stuff" their own eBay cookie into user computers. The next time the user visited eBay, the cookie would credit any sales commissions to the affiliate's account. (Each cookie contained an affiliate ID number; if a computer already had an eBay cookie on it, the most recently created one was used to pay out affiliate commissions.) These commissions weren't measured in pennies, either. At the time, eBay was offering $25 to affiliates for every single new "active user" and a whopping 50 percent commission on any user's auction wins so long as they exceeded $100 within a week's time.

eBay worried that Kessler's Flying Circus had cookie-stuffed its way into the second place affiliate slot. But Dunning told an eBay employee looking into the matter that he was "absolutely confident" that he was operating "in line with the intended spirit of the terms." Dunning's partner told eBay separately that any problems were simply "coding errors."

eBay wasn't convinced. So in 2008, it sued Dunning in federal court. The litigation proved frustrating for the auction giant, which at one point sought sanctions against Dunning for not turning over discovery materials in a timely fashion. Two years later, the case still hadn't reached trial.

In the meantime, eBay had convinced the FBI to investigate. In June 2010, a grand jury returned a criminal indictment against Dunning that accused him of wire fraud. His crime? Cookie stuffing.

Stuff it

The indictment laid out an ingenious scheme to spread eBay cookies linked to Kessler's Flying Circus widely across the Internet. Dunning developed free applications like WhoLinked, which displayed a list of sites linking to the site where WhoLinked was installed. This appealed to people's vanity and desire to show how credible their site was—"See, readers, I receive the most external traffic from PrestigiousWebsite.com!" The tool came in flavors for WordPress, Blogger, Movable Type, and other blogging platforms. Installation was dead simple.

Did it work? Those who installed it weren't sure, but it was still cool to see a list of your best linkers. Some users noted the little "What's this?" tag at the bottom of the WhoLinked widget and wondered why it triggered a drop-down box with an odd-looking link to eBay of all places. One early user wrote in May 2006 that this was a "cloaked" affiliate link, and he wrote Dunning to ask why it was there. (According to eBay, obfuscated JavaScript was used to disguise the link.)

Dunning replied that the link followed eBay's rules and that it helped "offset only a small percentage of the thousands of dollars he spends each month in hosting WhoLinked." The user concluded, "Sounds like a fair trade for a free service."

But according to the feds, Dunning used free programs like WhoLinked to do far more than this. When a blog page containing WhoLinked was loaded, WhoLinked generated a silent "ad clickthrough" to eBay in the background. Users would see nothing, but eBay would serve up a cookie containing the Kessler's Flying Circus affiliate link. The user's Web browser would dutifully save the cookie and, the next time that user visited eBay, any affiliate revenue generated went to Dunning and company. In such cases, users had never seen an eBay ad, nor had they clicked on anything eBay-related. These were not cases in which eBay wanted to pay affiliates.

Dunning took steps to make this activity harder to detect. According to the government, his programs would not stuff cookies on any computers that appeared to be located in San Jose or Santa Barbara, California (the respective headquarters of eBay and of the outside company eBay used to manage the affiliate program). eBay further alleged that Dunning had programmed his tools not to double stuff machines that had been targeted before. After all, the presence of two eBay cookies bearing the same affiliate ID numbers might have raised a flag in eBay's anti-fraud systems.

The complex case has moved slowly toward trial—until today, when the now 47-year old Dunning pled guilty to a reduced charge.

The government wanted Dunning to forfeit "all property constituting, and derived from, proceeds the defendant obtained, directly and indirectly, as the result of those violations." In other words, it wanted the full $5.2 million. While admitting to the general contours of the eBay cookie-stuffing scheme, Dunning insisted that these only accounted for some portion of the $5.2 million total. A separate evidentiary hearing on August 8 will determine exactly how much of that amount was fraudulent.

47 Reader Comments

I didn't know that many people still use eBay. I can probably count on one hand the number of items I've bought from there in the last 3 years. Page after page of shady listings, half truths, obscured defects, and a lot of dollar store crap. And when you do find the rare item you actually want to buy, fees after fees (paypal, shipping, insurance, etc) negate any savings you stood to pocket vs buying the same item at any other online store.

I didn't know that many people still use eBay. I can probably count on one hand the number of items I've bought from there in the last 3 years. Page after page of shady listings, half truths, obscured defects, and a lot of dollar store crap. And when you do find the rare item you actually want to buy, fees after fees (paypal, shipping, insurance, etc) negate any savings you stood to pocket vs buying the same item at any other online store.

Edit: punctuation.

If nobody used it, they wouldn't have so many listings, now would they?

I sell and buy on eBay- and I think you need to learn how to sift through the crap to find the good stuff...like panning for gold.

If nobody used it, they wouldn't have so many listings, now would they?

I sell and buy on eBay- and I think you need to learn how to sift through the crap to find the good stuff...like panning for gold.

Listings don't necessarily equate to sales. eBay can still take a profit from a listing, even if no sale occurs.

Take shopping for new items for example. I'd rather spend $100 for a pair of brakes for my bike on Amazon (with Prime shipping!), and be done in 5 minutes, than spend 2 hours sorting through seller storefronts, comparing shipping costs, transit time, condition, which ones come with all mounting hardware, which ones might be floor demos, knockoffs, etc, just to save $5 in the end.

The company was well aware of the wide variety of tricks that affiliates could use to boost their stats, including one called "cookie stuffing." With cookie stuffing, affiliates would surreptitiously "stuff" their own eBay cookie into user computers.

To those posters who say "I don't use or trust Ebay", I have had one fraudulent transaction in around 150. And that was a case where I chose to take the risk and buy something that "looked too good to be true". Other than that, Ebay has proven a fantastic way to buy and sell products cheaply and efficiently.

To those posters who say "I don't use or trust Ebay", I have had one fraudulent transaction in around 150. And that was a case where I chose to take the risk and buy something that "looked too good to be true". Other than that, Ebay has proven a fantastic way to buy and sell products cheaply and efficiently.

I've had two. One I didn't even realize was fraudulent until much later. (I didn't check for the etched maker's mark on crystal because the crystal "looked" right and so I "knew" the maker's mark was there. Silly me.)

The secret: Check the feedback percent. Less than 99%, don't bother. Look for "revised feedback." It's on the right, under the tabs. A number greater than zero screams, "Danger, Will Robinson!" Finally, read the negative feedback. Some customers are just cranky, and their feedback should be dismissed.

A seller who passes those tests is probably safe. Especially if the total number of feedback entries is greater than 100, but do not immediately discount new sellers.

Ebay is a online market place for anyone who has anything for auction/sale. This means, that it is a online flea market where you can find valuable items for low prices. This does not mean you go around buying every item that seems like a good deal because in any market there are scammers and fakes that profit off dumb mistakes.

Ebay will always be a site where customers will have at least some responsibility to protect themselves. No different from any RL flea market, really. But come on, guys - like the site or don't, think it's popular or don't, but NONE of that has anything to do with this article. Can we stay on topic?

For one thing, I think this serves as a great example of how malicious software can be used in a way where it never has to be downloaded explicitly and the user never notices a difference afterward. This is why you should make sure every 3rd party feature you put on your site has been vetted beforehand! Sure, this was mostly harmless to the user and actually kind of clever, but you can't be sure the next one will be!

Ebay is awesome, but like some of you have said, there are a lot of bad listings in ebay.

If you are an informed buyer you can get a lot of stuff from ebay cheaper than you can anywhere else. I don't mean low grade stuff. There are plenty of high end names to be bought for cheap. You must know how to use Ebay's sorting features or you will pay to much.

As a seller on ebay, I can see why my fees have been steadily rising. Guys like him are hurting the economy. What he did may be very clever, but it is stealing.

I didn't know that many people still use eBay. I can probably count on one hand the number of items I've bought from there in the last 3 years. Page after page of shady listings, half truths, obscured defects, and a lot of dollar store crap. And when you do find the rare item you actually want to buy, fees after fees (paypal, shipping, insurance, etc) negate any savings you stood to pocket vs buying the same item at any other online store.

Edit: punctuation.

What a load of old cobblers! First off, Paypal is fee-less for the Buyer, only the Seller pays Paypal fees; shipping is often free, and I always forgo insurance for lower-cost, non-fragile items when I buy on eBay. You really don't need it most of the time and frankly when you do need it, it's not that expensive.

I was a long-time buyer on eBay before I started selling last year. Both my spouse and I have wardrobes full of attractive, well-made, high-end clothing, for about the price of what it would have cost us to buy crappy, poorly-made clothing at Walmart. I've returned TWO pieces of clothing for cause & got my money back both times. I've bought: CDs, books, art, home furnishings, kitchen ware, jewelry, furniture, antiques, and gifts on eBay and been very happy with my purchases. My HEPA air cleaner (that I bought on eBay 10 years ago) died yesterday so I just bought a replacement on eBay from the same seller I've been buying well-priced HEPA filters from for the past four years. I buy vintage and/or semi-precious beads for my small jewelry-making business on eBay from all around the world. I have always been able to find great deals and unusual finds with a little searching. Searching that I enjoy doing, for fun.

Conversely, the people who have purchased pop culture items, books, and comics from my eBay store really appreciate how well I pack their purchases and how fair my prices are, and they give me good feedback in return. Does eBay take a huge bite out of my profits with their fees? IMO, yes; but not quite enough for me to stop selling on eBay--they've really figured out how to be juuuust this side of unfair enough to line their pockets, but not so unfair that it drives sellers away. Do Sellers or Buyers behave badly occasionally? So far, only one Buyer got pissy with me and frankly it was 50% my fault through a lapse of attention, and we worked it out between us so that we both came away happy from the deal. Same thing for the three or four Sellers I've had words with.

Maybe I've been "lucky" so far since I registered on eBay in 1998, but I have a feedback score of 1,800+, 100% positive, so that's a lot of luck to have if eBay has so many nefarious, horrible vermicious knids on it.

For a newbie like yourself, the sekrit to successful buying on eBay is READ THE FEEDBACK and don't bid or Buy It Now from anyone who doesn't have a ton of very good feedback. You'll be safer that way. But the next time you either spend $199 on a designer coat or $25 for a crappy coat online or at a brick-and-mortar, you should remember that somewhere out there, I'm spending $25 for a designer coat on eBay.

It sounds like eBay came up with a very poorly engineered technology for their affiliate program, and way overpaid for what they got in return. Even if no cookie stuffing was used, the causality between finding the eBay cookie and someone buying sometime (weeks, months?) later on eBay seems rather tenuous. I'm sure that eBay felt that they didn't get the advertising that they paid for, but that should have been treated like any commercial dispute, rather than wasting government money on prosecuting it as a crime with a grand jury and all.

THIS. Most "expensive" (i.e. over $20) items can be had for the same price elsewhere, but usb cords, phone covers, etc.. There is no beating Chinese stores with free shipping.

Chinese stores are great if you're looking for indoor fireworks. I'd stay away from electrical goods (USB cables being lower risk). I've dismantled some of this junk and seen alarmingly dangerous build quality. They don't to worry about luxuries like earthing, fuses and using wire thick enough to carry AC voltages.

About this novel idea; get rid of 'affiliate' programmes - I could understand maybe driving traffic of other high traffic sites but these days almost every man and his dog knows about ebay so why is there still a need for such a programme?

Sounds like a prize ratbag. But I don't get how what he did qualifies as wire fraud. At least not any more so than all the major corporations that sneak cookies onto users computers in order to (supposedly) target adverts at them. Why has some fraction of the FBI's limited resources been tied up investigating this, when it really is eBay's problem?

The old story of the clever criminal who got too greedy. If he'd been content with a couple hundred thousand instead of $5 mil, he probably wouldn't even have shown up on ebay's radar.

However, it seems that ebay might take a bit of the blame here for setting up a system that was ripe for abuse. Could they not audit a small, randomly selected percentage of affiliate referrals by asking the buyer "Our records indicate that you were referred to ebay by CompanyXYZ - is this correct?" during checkout? Include a short description of how the referral system works so the buyer understands exactly what's being asked.

whts starting to bug me now is ebay Turbo sellers listing the same item 30 times with an small tweak to the name

like i was looking for an Motorola bluetooth headset, you do that on ebay then sort it by price you see what i mean on an desktop or laptop it is annoying a little bit, but on the android ebay app it is very annoying to use as you have to scroll down so far before you get to the next product

http://www.ebay.co.uk/sch/i.html?_ipg=2 ... &_udlo=3.5note this is set to 200 items so if your on an phone i do not recommend clicking on it, you see that same item posted over 500 times with an small tweak to the name (i had to goto page 3 before that same listing stoped)

ebay need to sort that crap out if user ID a lists 2 or more items at the same price first rule second rule if the 2 items have the same word 3 times auto raise an review for that listing ,for muti same listings with same names and price should be Blocked automatic (max 10-20)

there is one ebay seller that has 440,000 items on his ebay account but he only sells under 200 unique products, he has basic done listings like this "2gb of DDR3 ram for {insert every make of laptop known to man}"if you do an ebay search for 4gb DDR3 and sort it by price there will be 2-4 pages of ram (this is on 200 per page view)correction 614,328 now (he just added 28 as i reloaded the page) >> http://www.ebay.co.uk/sch/offtek.memory/m.html

I didn't know that many people still use eBay. I can probably count on one hand the number of items I've bought from there in the last 3 years. Page after page of shady listings, half truths, obscured defects, and a lot of dollar store crap. And when you do find the rare item you actually want to buy, fees after fees (paypal, shipping, insurance, etc) negate any savings you stood to pocket vs buying the same item at any other online store.

Edit: punctuation.

I believe that you may be the exception and not the rule. Anyway the story is not about weather you like ebay or not. I've had good service and have not had any problems and this comment and my reply is off topic.

Ebay is a online market place for anyone who has anything for auction/sale. This means, that it is a online flea market where you can find valuable items for low prices. This does not mean you go around buying every item that seems like a good deal because in any market there are scammers and fakes that profit off dumb mistakes.

So basically, I just need to come up with a fraud sceme, steal millions of dollars, and then claim that I definitely committed fraud, but only a few of those millions were from the sceme. Then I can still keep a chunk of that money? Pffft, who needs investing?!

Sounds like a prize ratbag. But I don't get how what he did qualifies as wire fraud. At least not any more so than all the major corporations that sneak cookies onto users computers in order to (supposedly) target adverts at them. Why has some fraction of the FBI's limited resources been tied up investigating this, when it really is eBay's problem?

So ebay comes up with a program that syas if you do A, B, and C, we will pay you $x. This guy figures that A, B, and C are too hard but D is easier. He does D. the questions I have:

Did he have a contract with ebay? Did his actions violate the contract? If so, this a civil matter.

While what he did was slimy to ebay, did it break any law? Or, is a law being streached to be used in this case?

Ultimatly, I wonder if a company sets up a program that has a loophole and someone takes advantage of the loophole, are they really guilty of violating a law? I guess in this case, the fact that he tried to cover his tracks certainly make it seem that he new he was doing something wrong.

Reading this I can't help but wonder why Ebay is using cookies instead of session variables to track this. It seems like if they only want to pay on direct links they would work much better and mitigate a lot of this issue (at least it would clear up the problem with the user going back to ebay themselves and another entity getting paid for doing nothing).

I think traditionally most people think of one-off items. The things I've purchased are all things like N64 controllers in their original packaging (sue me, the MadCatz just don't feel the same).

That said, that kind of a commission on their more luxury items like vintage cars could yield quite a profit.

Fraud, sure. Just as brilliant though. He's a clever guy.

I've never used ebay, but I used to make extensive use (and still occasionally do) of their sister site, half.com (think consignment shop instead of auction house). It's great for tracking down out-of-production books, cds, and especially video games (just a year ago I managed to find two copies of the old Rama point-and-click adventure game for less than $20 total; my sister mentioned missing it from when we were kids, so I looked and bought a new copy for each of us).

I prefer to buy outright; the uncertainty and inconvenience of the auction method isn't to my liking. Now if there were a site that operated similar to the Auction House in Final Fantasy XI, I'd be all over that (price was hidden -- though you could view a history of previous successful sale prices -- and basically you enter what you think it's worth; if what you entered was more than they'd set, you win).

This Dunning character claims he stuffed only part of his ill-gotten gains, can he actually show how much money he did NOT earn through fraud...?

It's so sad the lengths some people go to to lay their hands on other peoples' money. Makes you wonder about our species as a whole.

Do not fool yourself - humans are like every other animal in nature - prone to steal - rape - pilalge - damage - destroy - plunder - kill and so on. We are simply aware of it. All society is - is a pseudo attempt at suppresing nature. Hell - we even have laws against going nude. How many other animals on the planet wear clothing ?

This Dunning character claims he stuffed only part of his ill-gotten gains, can he actually show how much money he did NOT earn through fraud...?

It's so sad the lengths some people go to to lay their hands on other peoples' money. Makes you wonder about our species as a whole.

Do not fool yourself - humans are like every other animal in nature - prone to steal - rape - pilalge - damage - destroy - plunder - kill and so on. We are simply aware of it. All society is - is a pseudo attempt at suppresing nature. Hell - we even have laws against going nude. How many other animals on the planet wear clothing ?

To be fair, not everywhere is so prudish as to ban nudity, though I usually only see us getting more repressed in that regard (most recent example I know of is Brattleboro, Vermont, USA, which didn't ban public nudity until around 2009; was rather annoyed by that, used to skinnydip in the river there all the time, though at least the police there are sane and just ignore it in certain areas they know people go to for it).

Reading this I can't help but wonder why Ebay is using cookies instead of session variables to track this. It seems like if they only want to pay on direct links they would work much better and mitigate a lot of this issue (at least it would clear up the problem with the user going back to ebay themselves and another entity getting paid for doing nothing).

I have a feeling - ever since eBady found out about this guy (and probably others that have done something similar) they have taken measures to counter these approaches. Remember - these events all occured circa 2006± (read: 7 years ago). The Internet has drasrtically changed since then. I remember when PayPal was a joke and had as many security holes as Facebook has today with very little trust in the company. Then eBay bought them and turned it around and personally my trust in PayPal outweighs - handing my credit card info over to some random Joe's Website for a purchase (and some legit Sites for that matter). So something tells me eBay probably doesn't allow their flagship business to slip to a lower level than their subsidiary.

This Dunning character claims he stuffed only part of his ill-gotten gains, can he actually show how much money he did NOT earn through fraud...?

It's so sad the lengths some people go to to lay their hands on other peoples' money. Makes you wonder about our species as a whole.

Do not fool yourself - humans are like every other animal in nature - prone to steal - rape - pilalge - damage - destroy - plunder - kill and so on. We are simply aware of it. All society is - is a pseudo attempt at suppresing nature. Hell - we even have laws against going nude. How many other animals on the planet wear clothing ?

To be fair, not everywhere is so prudish as to ban nudity, though I usually only see us getting more repressed in that regard (most recent example I know of is Brattleboro, Vermont, USA, which didn't ban public nudity until around 2009; was rather annoyed by that, used to skinnydip in the river there all the time, though at least the police there are sane and just ignore it in certain areas they know people go to for it).

LOL - so frakking NOT the point. The examples were the important take away from that.

This Dunning character claims he stuffed only part of his ill-gotten gains, can he actually show how much money he did NOT earn through fraud...?

It's so sad the lengths some people go to to lay their hands on other peoples' money. Makes you wonder about our species as a whole.

Do not fool yourself - humans are like every other animal in nature - prone to steal - rape - pilalge - damage - destroy - plunder - kill and so on. We are simply aware of it. All society is - is a pseudo attempt at suppresing nature. Hell - we even have laws against going nude. How many other animals on the planet wear clothing ?

To be fair, not everywhere is so prudish as to ban nudity, though I usually only see us getting more repressed in that regard (most recent example I know of is Brattleboro, Vermont, USA, which didn't ban public nudity until around 2009; was rather annoyed by that, used to skinnydip in the river there all the time, though at least the police there are sane and just ignore it in certain areas they know people go to for it).

LOL - so frakking NOT the point. The examples were the important take away from that.

My point stands! Not everywhere is completely corrupted by the beliefs of the Abrahamic religions, lol

I didn't know that many people still use eBay. I can probably count on one hand the number of items I've bought from there in the last 3 years. Page after page of shady listings, half truths, obscured defects, and a lot of dollar store crap. And when you do find the rare item you actually want to buy, fees after fees (paypal, shipping, insurance, etc) negate any savings you stood to pocket vs buying the same item at any other online store.

Edit: punctuation.

It has its uses. For example, last Christmas, when decorating the tree, an ornament with commemorative value was broken. We were able to find an identical item on eBay and had it within a week. That would be much, much harder without eBay.